On Fri, Sep 05, 2003 at 12:14:53PM +0200, Ed White wrote:
> quoting from http://www.openbsd.org/34.html
>
> "packet tagging (e.g. filter on tags added by bridge based on MAC address) "
>
> Please tell me everything about it ;-)
simple.
from brconfig(8):
# brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss
# brconfig bridge0 rule pass out on fxp0 dst 9:8:7:6:5:4 tag boss
These commands will tag packets from and to 9:8:7:6:5:4 on fxp0
so that pf(4) can refer to them using the tagged directive:
pass tagged boss keep state queue q_med
during the hackathon I added tagging functionality to pf.
you can tag packets and refer to them later.
that, for example, allows to split classification and policy:
#classification
block proto tcp to port 23 tag oldjunk
block proto tcp to port 22 tag good-hipri
# etc etc etc
#policy
pass out on $ext_if tagged good-hipri keep state queue (q_hi, q_prio)
block log out on $ext_if tagged oldjunk
another possible use is expressing trust relations between interfaces:
pass in on $if1 from $blah to any tag src-if1 keep state
pass out on $if2 tagged src-if1 keep state
of course, the next logical step was to allow other subsystems to tag
packets. I did that for bridge filters a few weeks later - see above
excerpt from brconfig(8).
this is implemented using mbuf tags, and that implies that tags are
kinda persistant, i. e. they are added on one interface and can be
use to filter on on another interface.
We also modified the matching so that _every_ matching rule sets the
tag, not just the last one.
--
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
